Logging and Alerting in a Hybrid Environment

New Contributor

So, I am working in a company where we are re-vamping the entire concept of how we do security, to include a centralized SOC/CERT at the company HQ-level, who are responsible for bringing logging in from ALL of our divisions and subsidiaries; translating those events into a common operational picture of the current state of alerts and events across the company; and investigating alerts and events that would indicate a security incident.

 

We are going all-in on establishing a data lake where these events would be coming in, stored and analyzed. Still not sure about using Sentinel or going another route. My question to the team here...is there a definitive document or documents from MS that says, "these are the minimum logs you would want/need" for effective monitoring of a hybrid, on-prem, multi-cloud provider environment?

 

A centralized, best practices documents or series of would be ideal!

1 Reply
Hello Edwin,

There is not a single document with this info, by I hope the options below will help you:

Sentinel Best Practices (talks about some logs that should be collected - regardless if on-prem or not)
https://www.microsoft.com/security/blog/wp-content/uploads/2020/07/Azure-Sentinel-whitepaper.pdf

Security Best Practices: this one looks for sec best practices on each workload, also cover logging
https://docs.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns
www.000webhost.com